Posted: Tue Apr 26, 2011 13:03 Post subject: OpenVPN on DD-WRT v24-sp2 build 16214 - Where is the logic?
Guys,
I have done this post earlier but do to a SQL crash on the forum (I've read) my post has dissapeared. That's very dissapointing for me, cause there were a couple of helpful hints in it.
I now use the PPTP VPN service, but I would like to use the more secure OpenVPN option.
I have tried many many times to get OpenVPN to work on my router. Is has cost me several days to weeks figuring out (no kidding! ), but I am still not able to succeed. I guess I totally miss the logic of the GUI here.
What I would like to do is to setup the DDWRT router to be the OpenVPN server. I used the following guides:
In both guides there is a list of the generated OpenVPN files that must be used in the DDWRT GUI boxes:
Public Server Cert: ca.crt
Certificate Revoke List: (leave blank)
Public Client Cert: server.crt Private Client Key: server.key
DH PEM: dh1024.pem
OpenVPN Config: (see below)
OpenVPN TLS Auth: (leave blank)
Now my first question rises: (Please see the attached screenshots, you need to login to see them. It makes my case a lot clearer).
I cannot enter the Public client cert and the Public client key under the OpenVPN server section.
These items are only available onder the Client OpenVPN section in the GUI. So why do I need to paste information under the OpenVPN client section (the ones coloured in red in the above list)? I don't see any text in the guides that say that I must use the client section, but the required fields are only available under the client section.
I cannot believe that this is correct and I believe that my failure is in somewhere in there. Under the Client section there are many other configurable items that are not mentioned. Thereby: I would like to setup a server, not a client.
The client will be a Windows7 or Windows 2008 machine, with openVPN client installed on it.
My feeling says that the OpenVPN section has changed and that the manuals are not up to date.
Is there anyone that has better experience with this and can help me out? I'm loosing it...
ndewan, that is correct. You did respond to my first post.
I've allready have the certificates in place now. The connection can be made from a remote office.
The only thing i do not understand is that I can ping servers on my LAN for only a couple of seconds. Then the ping goes into timeout. THe connection keeps existing, but I can not do anything with it.
I would like to get to a setup where all trafic is routed through the VPN server (including internet). I've read the OpenVPN manuals about masquerade etc, forcing gateway but cannot get it to work. Probably also due to the fact that I lose connectivity after a few seconds (ping).
The gateway command gives a statement back that is does not understand the parameter.
Do you have any experience for routing all traffic/lose connection?
all of the tutorials are outdated and need to be updated or removed.
unless your using a very old build of dd-wrt openvpn the GUI interface is completely redesigned and some of the things are actually renamed and make it even harder to figure it out.
thats part of why i was coming to these forums today, was to post a thread asking whats up with the redesigned Gui and outdated setups. imo all those script based examples are about as useful as tits on a boar; and the vpn-easy-way is full of errors and holes.
somebody that knows what they are doing needs to do a simple intuitive tutorial that covers static key, certificates with and without tls, tcp vs udp, redirect-gateway, and maybe some other stuff i can't think of right now.
i'll start a forum post with this as the subject, and
if anyone wants to help me with this, quote and bump this post; or add some info to my.
if it ever gets finished we can ask one of the mods to erase the outdated crap and get a good wiki page or ddwrt openvpn.
When I run the client file, I get this error right away before it even tries to connect.
I generated all the files on one machine. I then copied all samples, keys etc for server, client1, 2 & 3 all in one place (just to get started) but it fails instantly.
OK, so I followed all steps, I have the server key generated, the clients1-3, the data inputted into DDwrt, including the firewall data.
Basically I followed the wiki.
My questions are as follows in my all windows environment.
What do I do next? Do I copy the server key to the PC I want to use as the 'server'? - Where do I put the key?
I see three conf files in the openvpn directory - client, sample, server.
What do I need to edit to get this going? I believe that the DDWRT is configured with the key information.
Thanks,
Rich
Rich, you are probably going to hate me for this. I found the wiki too cryptic and instead followed a different set of instructions and used the GUI for the configuration. I posted my instructions on the following thread.
You might want to take a look and see where you are in the sequence that I outlined.
You have to customize the default files for your setup.
Let me know where you are, I will probably need a brief description of your setup and the config files the way you have them. Send them to my personal email and I will help you offline.
Your firmware and hardware information will be helpful too. There are a few routers and builds that are problematic.
Thanks .. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
When I run the client file, I get this error right away before it even tries to connect.
I generated all the files on one machine. I then copied all samples, keys etc for server, client1, 2 & 3 all in one place (just to get started) but it fails instantly.
Any ideas?
Looks like your certs are in the wrong places. Please read the instruction I sent in my previous post. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Thanks, that other guide was very helpful. I will save a copy. I think i Have it working & can connect while teathering my cell phone to my laptop & VPN'ing in.
For some reason, I cant see all the devices by name, server doesnt pop up, but I can \\ipaddress.
A few questions.
1. My current IP address pool is 192.168.1.0 should I change it?
Code:
mode server
proto udp
port 1194
dev tap0
server-bridge 192.168.1.2 255.255.255.0 192.168.1.230 192.168.1.249
keepalive 10 120
daemon
verb 5
client-to-client
dh /tmp/openvpn/dh.pem
ca /tmp/openvpn/ca.crt
cert /tmp/openvpn/cert.pem
key /tmp/openvpn/key.pem
management localhost 5001
2. Can I use the client1 folder on each PC I want to use to VPN?
3. How can I test/tell if my traffic is being sent securely?
4. Can I configure DDWRT to send me a notification when a user is VPN'ing (it will only be me)?
5. I found it easier to see the ovpn file using MS word. I managed to change the file association so now I am using a dos window to launch openvpn client1.ovpn to get the connection started.
1. I would recommend that you do. Depending on your usage of the OpenVPN channel, if you leave it at the default 192.168.1.0, you will run into a conflict with locations that use this address for their use. Hotels, Intenet cafe's, libraries rarely change the default setting for the addresses allocated within their networks.
2. Not sure what you are asking .. If you are asking to reuse the cert across multiple machines, you can do so. The only limitiation is that only one device will be able to connect at any point in time. General rule of thumb is to have a separate cert for each device.
3. Visit whatsmyip.org before and after you establish the connection. You should see the address of the client (as the rest of the world sees it) change. Alternatively you can use the tracert command to validate the path that your client is taking.
4. I am sure you can write some script to do this. Sorry, I cant help you with that. You can check the list of connected devices on the 'Status|VPN' page.
5. Install the OpenVPN GUI from the OpenVPN.net site. The GUI will start the OpenVPN service and you can use the GUI to Start|Stop the connection to your VPN Server. If you use Vista/Win7, you will have to run the GUI as an administrator.
Hope this helps. _________________ ===================================
1 * DIR-866L - 29193 Mega (Main Gateway)
1 * EA4200 - 29193 Mega (Main Gateway)
1 * EA6500 - 29193 Mega (Repeater Bridge)
1 * EA6500v2 - 29193 Mega (Repeater Bridge)
1 * WRT610N - 29193 Mega (Repeater Bridge)
===================================
Thanks for getting back to me. I think I would be more comfortable with a password in this mix. Is there a way to add a password so when the VPN starts, it asks for a password before connecting?
), but I am still not able to succeed. I guess I totally miss the logic of the GUI here.